A significant vulnerability discovered in all Intel processor chips, and the impending fix, will have a huge impact on workstation & server performance moving forward. The Register first reported this major design flaw in Linux kernel patch notes. An update will need to be released for ALLoperating systems. (Linux Distributions, Windows, macOS…)

Unfortunately, this patch is going to negatively affect your machines. Based on a few benchmarks, The Register believes machines running Intel chips are going to be 5 to 30 percent slower.

What Happened?

This vulnerability is particularly nasty because it’s a widespread hardware bug. Simply updating your machine cannot make the problem disappear. That’s why operating system vendors are currently redesigning some of the core functionalities of your machine as a workaround.

The Intel chip bug allows normal user programs to access the protected memory in the kernel. A kernel is the core of any operating system. It’s a process that manages the most sensitive tasks in your system. Basically, it’s the gatekeeper that allows a program to read and write files on your machine. It also manages the memory and peripherals, such as your keyboard and camera.

In layman’s terms, the kernel can do everything on your machine by design. The last thing anyone would want is for their kernel to be compromised – it is one of the most serious attack vectors in modern operating systems.

Because of a design flaw in the Intel chips, user programs with low privileges can read protected kernel memory. If an attacker or an intelligence agency can find a way to install a normal program on your machine, they would be able to read passwords stored in the kernel memory, private encryption keys, files cached from the hard drive, and much more.

Shared systems are even less protected. Many cloud hosting platforms such as Amazon Web Services, Microsoft Azure, and Google Cloud Platform, share machine resources between multiple clients – multiple clients use the same hardware components, allowing one client to access sensitive information about another using this exploit.

Pending Resolution

Developers working on the Linux kernel have been working toward identifying a fix for quite some time. Their discussions are public, but details pertaining to the design flaw are still unclear. According to Python Sweetness, the security bug is under embargo. Intel will reveal more information about it once Microsoft, Apple, and the Linux team have released patches. Microsoft has been working on a patch since November; Apple is also working on a similar fix. The bad news is that the fix will inevitably make anything running on an Intel x86 to x86-64 processor run slower. AMD announced that its processors are not subject to the vulnerability.

We anticipate Microsoft to provide their solution in the upcoming Patch Tuesday release. As it is made available, our security team will work diligently to conduct tests prior to deployment. Rest assured that our group are staying on top of this matter for all our managed clients. For unmanaged clients, we highly encourage that you contact us to discuss solutions for your organization.

UPDATE:

We regret to inform you that last week’s Intel flaw (dubbed Meltdown) that would potentially impact your network’s performance is far more severe and widespread than previously anticipated. There is also a second vulnerability, (dubbedSpectre) that is not isolated to Intel powered machines; those affected include AMD and ARM processors, which essentially encompasses most of the world’s devices. Unfortunately, the best solution is to replace any processors manufactured after 1995, but only when the chip manufacturers make a new one available. Until then, the only mitigation available will pose the potential for performance and/or security risks, which we outlined below.

Receive Patches to Address Vulnerability:Installing the patches specific to this issue could reduce server and desktop performance between 5 to 30%. Unfortunately, the patches and critical system updates significantly slow down processing performance, impacting computers as well as servers, especially those with limited CPU resources.

Not Receive Patches Addressing this Vulnerability:Not installing these patches will postpone the system performance issues associated with this fix, but will leave your networks susceptible to several known vulnerabilities which will become prime targets for attacks.